Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Web-Based Security for Business Enablement While "secure" and "Web" were once incompatible notions, they are now co-elements that support dynamic Web-based commerce. Technologies such as Web access management, single sign-on, identity management, federation, and strong authentication - when leveraged together - represent a more efficient way to conduct IT-enabled business. This IDC whitepaper explores how competitive advantage can be effectively realized through secure Web business enablement technologies. Learn more... https://www.sans.org/info/38738

- - SANS 2009 in Orlando in early March - the largest security training conference and expo in the world with lots of evening sessions: http://www.sans.org/- - Looking for training in your own Community? http://sans.org/community/For a list of all upcoming events, on-line and live: www.sans.org

TOP OF THE NEWS

A judge in Canada has ruled that Internet users have "no reasonable expectation of privacy" regarding records kept by their Internet service providers (ISPs). The ruling was made in the course of a child pornography case in which law enforcement officers asked an ISP to provide subscriber information for an IP address that was allegedly used to access the content. Bell Canada provided the information without a warrant. Most Canadian ISPs require warrants before they will provide subscriber names, except in the case of child pornography. Privacy advocates are concerned the ruling could set a precedent that would put individuals' entire surfing history at the disposal of law enforcement authorities without the need for warrants. They maintain the judge operated under the faulty assumption that the information obtained from the ISP is similar to what could be found in a telephone directory. -http://www.nationalpost.com/news/story.html?id=1283120-http://www.montrealgazette.com/news/Police+have+access+your+online+history/1286193/story.html[Editor's Note (Northcutt): The ever dwindling right to privacy. Keep in mind that ISPs want to collect information on user's surfing etc., so they can sell that data to marketing firms. Be sure to check out the related FTC story elsewhere in this issue. (Hoelzer): This topic will become more and more interesting legally since in many jurisdictions governments are requiring that certain records be kept; while the intent is good the potential for abuse toward individuals unfriendly to a particular political point of view could result in the end. For example, consider the story out of the UK this week moving to consolidate this type of data into top tier providers for easier access and monitoring by government. ]

Rather than requiring every service provider in the UK to keep its own user communication information to comply with European data retention rules, the UK government plans to use BT and other "high tier providers" to retain the data. The move comes as a result of the government's decision not to bear the burden of paying for each individual provider's compliant data retention system. UK draft laws require retention of IP address and session data for 12 months. The data retention scheme is expected to cost taxpayers about GBP 46 million (US $65.7 million). -http://www.theregister.co.uk/2009/02/16/eu_data_retention_transposition/-http://www.vnunet.com/computing/news/2236479/retaining-communications-cost******************** SPONSORED LINKS **********************************

THE REST OF THE WEEK'S NEWS

LEGAL ISSUES

Pirate Bay Trial Begins in Stockholm (February 13 & 16, 2009)

The Swedish trial of the founders of the Pirate Bay website has begun. Pirate Bay contains links that allows site members to download copies of music, movie and television program files; the site's founders are being sued by a group of media companies. The defendants, Frederik Neij, Gottfrid Svartholm Warg, Peter Sunde and Carl Lundstrom, maintain that they have not done anything illegal because the content in question is not hosted on their servers. The four are facing charges of accessory and conspiracy to break copyright law. The lawsuit is seeking 120 million kronor (US $14 million) in damages and interest. The site has an estimated 25 million users. If the men are convicted, they could face sentences of up to two years in prison and fines of as much as US $180,000. -http://news.bbc.co.uk/2/hi/technology/7892073.stm-http://blog.wired.com/27bstroke6/2009/02/pirate.html-http://www.msnbc.msn.com/id/29223839/

ARRESTS, CHARGES, CONVICTIONS & SENTENCES

Two of Three Tenenbaum's Alleged Accomplices Cleared of Charges (February 11, 2009)

Two of the three people arrested along with Ehud Tenenbaum in Canada last September for their alleged involvement in a fraud scheme have been cleared of charges, although no reason was given for the decision. Tenenbaum and three others were arrested last fall for allegedly breaking into the computer system of Direct Cash Management, a company that sells prepaid debit and credit cards. The system was accessed through an SQL injection attack. Limits on some accounts were changed, and all told, those involved in the scheme stole CN $1.8 million (US $1.4 million). Tenenbaum gained notoriety in the late 1990s for his role in several intrusions into US government computer systems. He is currently free on CN $30,000 (US $24,000) bond, but the US is seeking to extradite him to face other charges. Tenenbaum's girlfriend, Priscilla Mastrangelo, still faces charges. -http://blog.wired.com/27bstroke6/2009/02/the-analyzers-a.html

GOVERNMENT SYSTEMS AND HOMELAND SECURITY

US State Department Employees Use Biometrics to Access Network (February 11, 2009)

POLICY AND LEGISLATION

Massachusetts officials have once again extended the deadline for compliance with the state's stringent data security regulations. Organizations now have until January 1, 2010 to ensure that any personal data they retain that belong to Massachusetts residents are protected in a number of ways, including encrypting data while they are being transmitted over public networks or stored on devices that can be carried from one location to another and limiting the amount of information they retain. The decision to extend the deadline was based in part on the current economic climate as well as the need to allow companies ample time to make the necessary changes to their systems. State regulators have also pared back their demands that third-parties with access to the data be required to demonstrate that they were compliant with the requirements as well. Originally, the compliance deadline was January 1, 2009; last November, the date was pushed back to May 1, 2009, and last week, it was once again extended. -http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9127961&intsrc=news_ts_head[Editor's Note (Hoelzer): There are sometimes excellent reasons to extend deadlines. When it comes to compliance requirements, however, my experience tells me that extending the deadline simply leads to businesses choosing to do nothing until the deadline again draws near. ]

A survey from Forrester Research says that the percentage of IT operating budgets devoted to security is increasing, from 11.7 percent in 2008 to 12.6 percent in 2009. Fully half of the security budgets are earmarked for staffing and upgrades to existing technology. The report, "The State of Enterprise IT Security: 2008 to 2009", surveyed nearly 950 IT and security managers in Europe and North America. -http://computerworld.co.nz/news.nsf/scrt/F53EE9A6133F149FCC25755C0010AEFC

Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Ron Dick headed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.

Prof. Howard A. Schmidt is the President of the Information Security Forum (ISF) and author who has served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/